Skip to main content

Google Security Operations Integration Setup

This guide walks you through enabling the required API, creating a least-privilege custom role, and gathering the information required to connect your Google Security Operations instance as a SIEM with RAD Security. Google Security Operations (formerly Chronicle) provides cloud-native threat detection, investigation, and response at scale, with deep integration into the Google Cloud ecosystem.

Prerequisites

Before you begin, ensure you have:
  • A Google Security Operations instance provisioned in a Google Cloud project
  • Access to the Google Cloud Console with permissions to enable APIs, create custom IAM roles, and create service accounts
  • Access to a RAD Security workspace with integration permissions
Chronicle API Required: The Chronicle API must be enabled on your Google Cloud project before creating the custom role. Without it, the IAM permissions used in this guide will not appear in the role editor.

Understanding Integration Components

The Google Security Operations integration uses a Google Cloud service account authenticated with a JSON key:
Purpose: Authenticate RAD Security to your Google Security Operations instanceUse Case: Provide a non-user identity that can be rotated and audited independentlyAuthentication: OAuth 2.0 service account with a downloaded JSON key file

Step 1: Enable the Chronicle API

1

Sign in to Google Cloud Console

Sign in to the Google Cloud Console with an account that has permission to enable APIs on your project.
2

Open the API Library

Navigate to APIs & Services → Library.
3

Find the Chronicle API

Search for Chronicle API in the library.
4

Enable the API

Click Enable. Wait for the API to finish enabling before continuing.

Step 2: Gather your Security Operations values

1

Note your Project ID

Open the project picker at the top left of the Google Cloud Console. Filter or find your project in the list and copy the ID value to a safe location.
The Project ID is distinct from the project name and project number. Make sure you copy the ID.
2

Open Google SecOps

From the console search bar, navigate to Google SecOps.
3

Open Instance Details

On the Overview page, expand the Instance Details section.
4

Copy Customer ID and Region

Record the following values to a safe location:
  • Customer ID
  • Region (typically us or eu)

Step 3: Create a Limited Permissions Role

You can skip this step and use the built-in Chronicle API Admin role instead, but that grants far more access than RAD Security requires.
1

Open the IAM Roles editor

Follow the Google documentation to create a custom role in the IAM application.
2

Configure role metadata

Provide the following values:
FieldValue
TitleA descriptive title (e.g., “RAD Security SecOps Reader”)
DescriptionA short description of the role’s purpose
IDA unique role ID
Role launch stageGeneral Availability
3

Add the required permissions

Locate and add the following permissions:
PermissionRequired
chronicle.events.importOnly if using event ingestion
chronicle.events.udmSearchYes
chronicle.logTypes.listYes
chronicle.legacies.legacySearchDetectionsYes
chronicle.legacies.legacyGetDetectionYes
This list may expand as RAD Security adds features to the Google Security Operations connector.
4

Create the role

Click Create to save the custom role.

Step 4: Create a Service Account

1

Create a new service account

Follow the Google documentation to create a new service account.
2

Assign the role

When prompted to assign a role, select either:
  • The custom role created in Step 3 (recommended), or
  • The built-in Chronicle API Admin role
There is no need to assign additional users or admins to the service account unless desired.
3

Create a service account key

Follow the Google documentation to create a service account key. This downloads a JSON file containing the values needed to authenticate with Google.
4

Extract the credential values

From your downloaded key file, record the following values to a safe location:
  • Client ID (client_id)
  • Client Email (client_email)
  • Private Key (private_key)
Store the key file securely. Anyone with access to this file can authenticate as the service account. Treat it like a password and store it in a secrets vault.

Step 5: Configure in RAD Security

Navigate to your RAD Security workspace and configure the Google Security Operations integration with the following parameters:
ParameterRequiredDescriptionExample
Client IDYesThe client_id value from your service account key file (Step 4)123456789012345678901
Client SecretYesThe private_key value from your service account key file (Step 4)-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n
Client EmailYesThe client_email value from your service account key file (Step 4)rad-security@my-project.iam.gserviceaccount.com
Customer IDYesThe Customer ID gathered in Step 201234567-89ab-cdef-0123-456789abcdef
Project IDYesThe GCP Project ID gathered in Step 2my-secops-project
RegionNoThe Region gathered in Step 2us or eu
Base URLNoLeave blank in most cases — RAD Security constructs the region-specific API URL automaticallyhttps://us-chronicle.googleapis.com
Token URLNoLeave blank to use the default Google OAuth 2.0 token endpointhttps://oauth2.googleapis.com/token
About the Client Secret field: For Google service accounts, the Client Secret value is the full PEM-encoded private_key string from your downloaded key file — not a typical OAuth client secret. Include the -----BEGIN PRIVATE KEY----- / -----END PRIVATE KEY----- delimiters and embedded newlines exactly as they appear in the file.
Custom Base URL: Only set the Base URL field if you are targeting a non-standard instance of the Google Cloud Platform. If supplying a custom value, provide the root URL without any paths — for example https://us-chronicle.googleapis.com.

Verify Integration

After completing the setup, verify your integration is working:

Verify Query Capability

  1. Run a test query from RAD Security
  2. Verify Google Security Operations data appears correctly
  3. Check that results are properly formatted

Verify Data Ingestion

If you enabled event ingestion (chronicle.events.import):
  1. Trigger a test event in RAD Security
  2. Search for the event in Google Security Operations
  3. Verify the event appears with correct UDM formatting
Your Google Security Operations integration is now configured! RAD Security can query and forward events to your Security Operations instance based on your configuration.

What Data is Synced

RAD Security can query the following:
  • UDM events and search results
  • Detections from legacy detection rules
  • Available log types in your instance
  • Historical security telemetry
RAD Security can forward the following when event ingestion is enabled:
  • Runtime security events
  • Container and cloud activity
  • Policy violations
  • Threat detections
  • Incident data
  • Custom security events

Use Cases

Unified Threat Intelligence

Correlate Google Security Operations telemetry with RAD Security’s runtime insights for comprehensive threat detection.

Cross-Platform Detection

Detect threats that span Google Cloud, endpoints, and containerized infrastructure using unified data sources.

Enhanced Investigation

Pivot from RAD Security runtime context into Google Security Operations’ investigation tools.

Centralized SIEM

Use Google Security Operations as a central SIEM for all security events including container and cloud workloads.

Troubleshooting

Possible causes:
  • Chronicle API not enabled on the project
  • Wrong project selected in the console
Solution:
  • Confirm you are working in the correct Google Cloud project
  • Re-enable the Chronicle API under APIs & Services → Library
  • Wait a few minutes after enabling before reopening the role editor
Possible causes:
  • Client Email, Client ID, or Client Secret copied incorrectly
  • Service account key was deleted or rotated
  • Service account is missing the required role
  • Newline characters stripped from the Client Secret (private key)
Solution:
  • Verify all three credential values come from the same key file
  • Ensure the Client Secret includes the -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- lines and embedded newlines
  • Confirm the service account still has the custom role or Chronicle API Admin assigned
  • Generate a new service account key if needed
Possible causes:
  • Custom role missing one or more required permissions
  • Service account assigned a different role
  • Project ID mismatch
Solution:
  • Verify the custom role includes chronicle.events.udmSearch, chronicle.logTypes.list, chronicle.legacies.legacySearchDetections, and chronicle.legacies.legacyGetDetection
  • Confirm the Project ID configured in RAD Security matches the project where the service account lives
  • Re-bind the role to the service account if it was removed
Possible causes:
  • chronicle.events.import permission missing
  • Region mismatch
  • Customer ID incorrect
Solution:
  • Add chronicle.events.import to the custom role
  • Verify the Region (us, eu, etc.) matches your Security Operations instance
  • Re-check the Customer ID from Instance Details
Possible causes:
  • Wrong Region value supplied
  • Custom URL pointing to the wrong region
Solution:
  • Confirm the Region from the Instance Details page in Google SecOps
  • Leave the URL field blank unless you have a specific reason to override it
  • If overriding, supply the root URL only — for example https://us-chronicle.googleapis.com

Security Best Practices

Use a Custom Role

Prefer the least-privilege custom role over the built-in Chronicle API Admin role.

Rotate Service Account Keys

Periodically rotate service account keys as part of normal security hygiene.

Secure Credential Storage

Store the JSON key file in a secrets vault. Never commit it to source control.

Dedicated Service Account

Use a service account dedicated to RAD Security rather than sharing one across integrations.

Monitor API Usage

Review service account activity in Google Cloud audit logs to detect anomalous behavior.

Audit Access

Periodically review service accounts and remove any that are no longer in use.

Additional Resources

Google Security Operations Onboarding

Official Google documentation for provisioning a Security Operations instance

Create a Custom IAM Role

Google documentation for creating custom IAM roles

Create a Service Account

Google documentation for creating service accounts

Create a Service Account Key

Google documentation for generating service account keys

Next Steps

SIEM Integrations Overview

Explore other SIEM integration options

Runtime Security

Learn what runtime events are sent to your SIEM

Threat Models

Understand how threats are detected and classified

Alerts & Incidents

Configure alert rules to forward to your SIEM